Understanding Human Authentication and Digital Identity
Explore the complexities of human authentication, classes of countermeasures, principles, personal and digital identity, and aspects of digital identity. Dive into the philosophical problem of personal identity, different types of identities, attributes, identifiers, verifiers, and the process of identity enrollment.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Lecture 11: Human Authentication CS 5430 3/12/2018
Classes of Countermeasures Authentication: mechanisms that bind principals to actions Authorization: mechanisms that govern whether actions are permitted Audit: mechanisms that record and review actions
Classes of Principals Authentication: mechanisms that bind principals to actions Authenticating Humans Authenticating Machines Authenticating Programs
Personal identity Major philosophical problem People are not identical to themselves over time, but their identity persists throughout changes cf. Ship of Theseus Intrinsic identity: continuation of consciousness Extrinsic identity: relationship to everything else Control: individual's, others', no one's?
Digital identity Digital identity: data that describes a person and its relationship to others not the person itself; not a personal identity A person could have many digital identities, some overlapping, some contradictory Data could be incorrect, outdated, incomplete
Aspects of digital identity Name NetID Email address URL IP address Citizenship Political party ...
Identity Attribute: property of a principal name is "Ezra Cornell", birthdate is 01/11/1807, mother's maiden name is Barnard Identity: set of attributes each principal may have many identities of use in different scenarios (student, taxpayer, athlete) Identifier: an attribute that is unique within a population Verifier: an attribute that is hard to produce hence can be used as a basis for authentication
Identity Enrollment: establishing identity with a system Create an account Get an ID card, visa Register a machine on a network Get a signing key from a provider System might (not) verify claimed attributes during enrollment Websites rarely do Governments often do
Authentication of humans Categories: [IBM, TR G520-2169, 1970] Something you are fingerprint, retinal scan, hand silhouette, a pulse Something you know password, passphrase, PIN, answers to security questions Something you have physical key, ticket, {ATM, prox, credit} card, token
Authentication of humans Two-factor authentication: authenticate based on two independent methods ATM card plus PIN password plus registered mobile phone Multi-factor authentication: two or more independent methods Best to combine separate categories, not reuse categories non-example: requiring two passwords from a single human: arguably not independent non-example: requiring single password from each of two humans: authenticates two humans then makes authorization decision
Biometric Biometric: measurement of biological and behavioral attributes (something you are) biological attributes can be confounded by behavior biology and behavior is non-constant: variation from one measurement to the next
Example: Fingerprint Particular use: California social services prevent applicants for welfare from defrauding state by receiving assistance under multiple identities Fingerprint stored as bitmap and as minutae When user authenticates, computer compares minutiae If they match, human additionally reviews bitmap images (about 15 out of 10000 authentications have minutiae match even though fingerprints do not)
Example: Hand geometry Used in 2012 Olympic Games, Walt Disney World, nuclear facilities, data centers, ... Camera images palm and side of hand (no texture information) Images reduced to (e.g.) 31000 points then 90 measurements then 9 bytes of data Final data not directly related to any source measurements Data stored as a template for later comparison When user authenticates, another set of images taken If data are close enough to stored template, user deemed authenticated Can adjust threshold per-user, in case some users are difficult to authenticate Each time user is authenticated, template is updated to account for change over time
Example: Facial recognition Used in border control, Facebook, iPhone X Operates on 2D image or depth map Modern systems use ML classifiers to identify matches Most systems perform poorly on profiles, low-res images Most systems perform less well on women and minorities
Biometric attributes as verifiers Advantages: Can't lose or forget a biometric Easy to use some biometrics (e.g., fingerprint scan vs. PIN on iPhone) Disadvantages: Updating identities after disclosure is hard (new fingerprints? new retina?) So enrolling a biometric identifier places permanent trust in receiver, even if they go bankrupt, retroactively change privacy policies, get taken over by new administration, ... Impossible to be application specific (your hand geometry is the same regardless of what system you use) Physical process with errors... Fear of negative implications for privacy...
Biometric attributes as verifiers Requirements: Identifier Easy to measure Small variation over time and measurement Difficult to spoof Acceptable to users
Accuracy False accept: authenticate a principal with wrong identity (fraud) False reject: fail to authenticate a principal under right identity (insult) Hypothesis testing: null hypothesis: human being authenticated has claimed identity false accept = type II error false reject = type I error Tunable trade off of sensitivity between which error is more likely False acceptance rate (FAR): percentage of attempts in which imposters are authenticated (with wrong identity) False reject rate (FRR): percentage of attempts in which legitimate users are denied authentication
Sensitivity Receiver operating characteristics (ROC) curve: graph of FRR vs. FAR (or perhaps 1- FAR, perhaps nonlinear axes) FAR 1 Also FRR( ) can be plotted vs. FAR( ) parameterized by . Define a function FAR( ): in [ min, max] [0,1]. FAR and FRR can be estimated for each , min < < max, September 22, 2009 ROC curve 1 2 3 FRR 1 1 2 3 WVU FRR 1 . 3 2 1 FAR 1 9 = sensitivity Graph source: http://www.csee.wvu.edu/~natalias/biom426/performance_fall09.pdf
ROC comparison Crossover error rate (CER): value on ROC at which FAR=FRR (aka equal error rate, ERR) Many other statistics for comparison possible Anytime a graph is reduced to a single number, we lose information What matters most for biometrics is the use case/threat model
Use cases Entry to military facility: letting imposters in might be worse than (temporarily) delaying entry of personnel so prefer low false accept rate Entry to hotel lobby: letting non-guests in might be better than (temporarily) delaying entry of guests so prefer low false reject rate
ROC comparison Two matchers (A=solid; B=dashed) At point C, matchers have same FAR and FRR To the left of C, matcher A has lower FRR for same FAR To the right, matcher B has lower FRR for same FAR FRR > FRRA A September 22, 2009 Usin ROC Curve: Exam le 2 B B FRR FAR = FARA B B C B FRR < FRRA A B WVU FAR Graph source: http://www.csee.wvu.edu/~natalias/biom426/performance_fall09.pdf left of C. operational point is to the than Matcher B if the Matcher A is more accurate right of C. operational point is to the Matcher B is more accurate At point C Matchers are , . 14
Spoofing Active adversary fools sensor with artificial object Solution: better sensors better biometrics multi-factor authentication
Privacy concerns Humans might have concerns about measurements (have photo taken, parts of body scanned) Humans might not want to disclose attributes during enrollment (SSN, political party) Humans might not want action bound to their identity (buying medication) Humans might not want their actions linked to other actions, exposing them to inference about what they thought were unrelated activities.
Principles for privacy When building authentication systems... Seek consent: get permission to authenticate and store identity Select minimal identity: use the smallest possible set of attributes Limit storage: don't save information about identity or authentication without need, and delete when no longer needed Avoid linking: don't reuse identifiers across systems
Privacy and biometrics Biometrics can violate intrinsic privacy by requiring submission to bodily contact or measurement Fear of germs Religious prohibitions Biometrics can violate informational privacy Biometric identifiers might effectively become a standard, universal identifier, enabling linking
